Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Aurora and WinFixer 2005!

JohnCenaCG

Posted 10 August 2005 - 10:05 AM

JohnCenaCG

New Member

Member

4 posts

Even when I do go into my WINDOWS folder (in Safe Mode) to delete Nail.exe, DrPMon.dll, and this one file with an Aurora symbol, it was gone for a little and then Nail.exe came back! I even have System Restore off just incase it was that that was brining it back! Please help me. I can't get rid of WinFixer 2005 either!! I'm also trying to get rid of VBS.Gaggle.E@mm, I know how to, I tried, but it said I was missing GEDZAC.exe and when I searched that it said it was a worm program so I don't know what to do! I also have VBS.Gaggle.D (The gaggles are starting to annoy the sh*t outta me)

Please download APT and unzip the contents to a new folder on your desktop.

Open the folder you just created and click on apt.exe and search in the window for C:\WINDOWS\System32\cjcisy.exe.

Open your C:\Windows\system32 folder and search for cjcisy.exe.
Don't delete it yet, just leave the system32 folder open so you can see the bad file.

In APT again, Select cjcisy.exe and Click Kill3

Then immediately delete cjcisy.exe from your system32 folder.

Close APT.

To reboot into SafeMode with Windows XP, you can follow these steps from Microsoft:

Next, please reboot your computer in SafeMode by doing the following:

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, start tapping press F8 key.

Instead of Windows loading as normal, a menu should appear

Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click on nailfix.exe. Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish". Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Now open ewido and do a scan of your system.

Click on scanner

Click on Complete System Scan and the scan will begin.

You will be prompted to clean the first infection.

Select "Perform action on all infections", then proceed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

Click Save report.

Save the report .txt file to your desktop or a location where you can find it easily.

[color=#FF0000]*IMPORTANT NOTE*[/color]CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp

Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).

When CleanUp starts go to the Options button (right side of CleanUp screen)

Move the arrow down to "Custom CleanUp!"

Now place a checkmark next to the following (Make sure nothing else is checked!):

Delete Cookies
This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea

Empty Recycle Bins

Delete Prefetch files

Cleanup! All Users

Click OK

Then click on the CleanUp button. This will take a short while, let it do its thing.

When asked to reboot system select No

Close CleanUp

next copy the code below and paste it into notepad. save to your desktop as fixreg.reg, making sure that under save as file type you have it selected to all files.

When I was in Safe Mode I tried to delete kndir.dll but it said that it was in use by another program (What the...?) and when I tried to run ewido it said it couldn't read some dll file so I couldn't run that. It said that I needed to have GEDZAC.exe to open up that .reg file that I had to save and when I search GEDZAC.exe it said it was a worm program, am I like screwed or something?

*Well I reinstalled ewido and now that works, I also have that notepad thing "fixreg.reg" under "remove.bat" on my desktop also. And freakin' Nail.exe still exists!! OMG!

Dragon

Posted 11 August 2005 - 09:19 AM

ok, this is going to be a tough fix. Please print these directions out or copy and save them in notepad to your desktop, as you won't have avialability to them in safe mode.

These instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Update the virus definitions.
2. Restart the computer in Safe mode.
3. Run a full system scan and delete all the files detected as W32.HLLW.Gemel. Delete the text file that was created by the worm.
4. Restore the following files from known, clean backup copies, You can find these on your Windows XP CD, if the worm deleted them.

C:\Windows\Regedit.exe

C:\Windows\System\Msconfig.exe

C:\Command.com

5. Remove the values that the worm added to the registry.For specific details on each of these procedures, read the following instructions.

1. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

Running LiveUpdate, which is the easiest way to obtain the virus definitions. These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak.

Downloading the definitions using the Intelligent Updater. The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them.

The Intelligent Updater virus definitions are available here. For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, click here.

2. Restarting the computer in Safe modeAll the Windows 32-bit operating systems, except Windows NT, can be restarted in Safe mode. For instructions on how to do this, read the document, "How to start the computer in Safe mode."

3. Scanning for and deleting the infected files

1. Start your Symantec antivirus program, and make sure that it is configured to scan All Files.

2. Run a full system scan. 3. If any files are detected as being infected with W32.HLLW.Gemel, click Delete. 4. Delete either of these files, if found:

C:\Windows\Torres_Gemelas.txt

C:\Windows\World_Trade_Center.txt

4. Restoring the deleted filesRestore the following files from known, clean backup copies, if the worm deleted them:

C:\Windows\Regedit.exe

C:\Windows\System\Msconfig.exe

C:\Command.com

5. Removing the values that from the registryCAUTION: it is strongly strongly recommended that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.a. Click Start, and then click Run. (The Run dialog box appears.) b. Type regedit, and then click OK. (The Registry Editor opens.) c. Navigate to the following key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run d. In the right pane, delete any of these values:GEDZAC C:\Windows\Guindows\GEDZAC.exe Zacker C:\Windows\Guindows\Zacker.exe e. Navigate to each of the following keys:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Winnt\CurrentVersion f. In the right pane, modify the Value Data of these values to the correct information for your computer:RegisteredOwner RegisteredOrganization g. In the right pane, delete any of these values:GEDZAC Zacker h. Exit the Registry Editor.[/list][/list]Next reboot to normal mode,

run the fixreg program, you need to make sure that you have saved that as fixreg.reg, not as a .bat file. to do this open the file with notepad then resave it, using the save as option, as fixreg.reg making sure that you have chosen all files in the save as type dropdown box.

then restart your computer and post a fresh hijack this log, then we will clean up the rest of your system.

JohnCenaCG

Posted 12 August 2005 - 08:30 AM

JohnCenaCG

New Member

Topic Starter

Member

4 posts

Well I wasn't sure if I wanted to do that because I don't have the back-up utility to back up my files, so what am I suppose to do about that? The site told me that it was on my Windows XP Home Edition CD but I didn't get the CD with the computer though.